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(54) Process for protecting an information item transmitted from a security element to a decoder 
and protection system using such a process 



(57) The invention relates to a process for protecting 
an information item transmitted from a security element 
to a decoder and a protection system using such a proc- 
ess. 

The information item is protected by encrypting 



within the security element the information item to be 
transmitted to the decoder and by decrypting this infor- 
mation item within the decoder. 

The invention applies to conditional-access sys- 
tems. 
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Description 

The invention relates to a process for protecting an 
information item transmitted from a security element 
such as, for example, a user-card of a conditional-ac- 
cess system, to a decoder. 

The invention applies more particularly to condition- 
al-access systems for which the descrambling operation 
is performed in the security element which is then, for 
example, a PCMCIA type card complying with the inter- 
face standard known by those skilled in the art as 
"CENELEC/DVB- Common Interface" or a chip card 
complying with the American NRSS standard (standing 
for "National Renewable Security System"). 

The invention applies to any type of conditional-ac- 
cess system, whether this system be of the on-line type 
or the standalone type. 

In an on-line conditional-access system, the scram- 
bled information item is an information item consisting 
of a signal distributed simultaneously to various users. 

In a standalone conditional-access system, the 
scrambled information item is contained on standalone 
information media such as, for example, compact discs 
or digital video discs. 

The information item making up the various pro- 
grammes originating from the issuing source, such as, 
for example, a service provider, is transmitted to the se- 
curity element. The security element descrambles the 
programme selected by the user (provided that the us- 
er's entitlements are present in the security element) 
and sends this programme, as well as the other pro- 
grammes which have remained unchanged, to the de- 
coder 

Such a process has the drawback that the pro- 
gramme selected by the user is transmitted unenci- 
phered. 

Such a transmission can readily be exploited by a 
pirate who can use it to distribute the pirated programme 
illegally. 

Figure 1 represents the schematic of a security el- 
ement/decoder assembly according to the prior art. 

The system of Figure 1 comprises an information 
source I, a decoder 6 and a security element 1 . 

The decoder comprises a demodulation device 7 
and a demultiplexing and decoding device 8. 

The security element t contains a filtering device 2, 
a descrambling device 3, an access control device 4 and 
a user entitlement storage device 5. 

The information item I issued by the issuing source 
contains one or more multiplexed programmes, for ex- 
ample, according to the MPEG-2 transport standard 
(standing for "Moving Picture Expert Group"). 

As is known to those skilled in the art, the pro- 
grammes output by the issuing source are scrambled 
programmes. The information item I contains, in mes- 
sages which will hereafter be denoted ECM, the en- 
crypted control words allowing, after decryption, the de- 
scrambling of the scrambled programmes. 



After the decoder receives the information item I, 
the latter is demodulated by the device 7 and then trans- 
mitted in full to the security element 1 . The latter filters, 
with the aid of the device 2, the ECMs (denoted ECMA 

5 in Figure 1) corresponding to the programme selected 
by the user and transmits them to the device 4 for 
processing. The non-filtered part of the information item 
is transmitted without modification to the descrambler 3. 
The device 4 carries out the conventional functions for 

10 processing the ECMs, and, in particular, decrypts the 
control words CWi which they contain, provided that the 
entitlements D necessary for descrambling the selected 
programme and output by the device 5 are applied to 
the device 4. 

15 The control words CWi are subsequently transmit- 
ted to the descrambling device 3 which uses them to 
descramble the programme selected by the user. The 
information item output by the descrambler 3 is trans- 
mitted to the demultiplexing and decoding device 8 so 

20 as to generate the usable, i.e., for example, displayable 
in the case of a film, information item ECG1 . 
The invention does not have this drawback. 
The invention relates to a process making it possi- 
ble to transfer from a security element to a decoder a 

25 stream of data arising from a descrambler included with- 
in the security element. The process comprises a first 
step making it possible to encrypt, in the security ele- 
ment, the information item arising from the descrambler 
under the action of a first encryption key and a second 

30 step making it possible to decrypt, in the decoder, the 
encrypted information item arising from the first step, un- 
der the action of a second encryption key. 

The invention also relates to a security element con- 
taining a descrambler making it possible to descramble 

35 the information item which it receives under the action 
of control words. The security element comprises a de- 
vice for encrypting the descrambled information item 
arising from the descrambler under the action of a first 
encryption key. 

40 The invention also relates to a decoder making it 
possible to decode data arising from a security element, 
the said data representing at least one programme se- 
lected by a conditional-access system user. The decod- 
er comprises a decryption device making it possible to 

45 decrypt, under the action of a second key, the data aris- 
ing from the security element, the said data being data 
which are descrambled and encrypted under the action 
of a first key. 

The invention further relates to an assembly made 
50 up of a security element and of a decoder. The security 
element is a security element according to the invention 
such as that mentioned above and the decoder is a de- 
coder according to the invention such as that mentioned 
above. 

55 As has been mentioned earlier, an advantage of the 
invention consists in protecting the transmission of the 
programme selected by the user from the security ele- 
ment to the decoder. 
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Other characteristics and advantages of the inven- 
tion will emerge on reading embodiments of the inven- 
tion given with reference to the appended figures in 
which: 

Figure 1 represents the schematic of a security el- 
ement/decoder assembly according to the prior art; 
Figure 2 represents the schematic of a security el- 
ement/decoder assembly according to a first em- 
bodiment of the invention; 

Figure 3 represents the schematic of a security el- 
ement/decoder assembly according to a second 
embodiment of the invention; 
Figure 4 represents the schematic of a security el- 
ement/decoder assembly according to a third em- 
bodiment of the invention. 

In all the figures, the same labels denote the same 
elements. 

Figure 2 represents the schematic of a security el- 
ement/decoder assembly according to a first embodi- 
ment of the invention. 

In addition to the elements described in Figure 1, 
the decoder 6 comprises a decryption device 9 and the 
security element 1 comprises an encryption device 10. 
The programme selected by the user is encrypted by 
the device 10 using an encryption key K. Conversely, 
the device 9 decrypts the programme with the help of 
the same key K. Advantageously, this avoids having 
transmission of the programme unenciphered between 
the security element and the decoder. 

According to the invention, the encryption and de- 
cryption key K can be common to all the security ele- 
ment/decoder pairs, but can also be specific to each pair 
or group of security element/decoder pairs. Advanta- 
geously, the production of pirate clones of security ele- 
ments is thereby impaired. 

Thus, this technique forces pirates to customize 
each of their clones on the basis of the decoder to which 
they are connected. This has the consequence of com- 
plicating their task and hence of reducing the rewards 
which they may derive from piracy. 

According to a particular implementation of the em- 
bodiment of Figure 2, a public key algorithm can be used 
for the devices 9 and 1 0. In this case, the encryption key 
is different from the decryption key and, in a preferred 
manner, the secret key is used for encryption in the se- 
curity element while the public key is used for decryption 
in the decoder. 

According to this first embodiment of the invention, 
the key K is a key stored permanently both in the security 
element and in the decoder. 

Figure 3 represents the schematic of a security el- 
ement/decoder assembly according to a second em- 
bodiment of the invention. 

In addition to the elements described in Figure 2, 
the decoder comprises a device 1 1 for generating a ran- 
dom number or random words AL and a device 12 for 



4 

generating decryption keys and the security element 
comprises a device for generating encryption keys 13. 

Instead of using a fixed key K, as in Figure 2, the 
encryption and decryption keys are here generated dy- 
5 namically. To do this, the decoder 6 generates a random 
number AL by way of the device 11 and transmits it to 
the device 1 3 of the security element. Moreover, the de- 
vice 11 transmits the random number to the device 12. 
The latter encrypts the random number AL under the 
10 action of a key K1 so as to give the decryption key K. In 
the same way, the device 1 3 of the security element en- 
crypts the random number under the action of a key K1 
and produces the encryption key K. 

According to a particular embodiment of the inven- 
ts tion, described in Figure 3, the encryption algorithm 
used by the devices 12 and 13 can be replaced by a 
"one-way" function with key K1. Such a function is for 
example described in the European patent application 
filed under number 96401336.1-2209. 
20 Advantageously, the devices 1 2 and 1 3 prevent any 
pirate from discovering the encryption/decryption key K 
solely through the data item AL which travels between 
the decoder and the security element. 

According to another particular embodiment of the 
25 invention, the key K1 used by the devices 1 3 and 1 2 can 
be specific to the security element/decoder pair, thus ex- 
hibiting the advantages mentioned earlier. 

According to another particular advantageous em- 
bodiment of the invention, the procedure for generating 
30 the encryption and decryption key K can be renewed 
each session or else several times per session. Session 
should be understood to be an uninterrupted sequence 
of reception of one and the same programme by a user. 
These renewals of the keys K exhibit, among other 
35 things, the following benefits: 

on the one hand, they make it possible to increase 
the soundness of the encryption/decryption algo- 
rithm of the devices 9 and 10. Soundness of the al- 
40 gorithm should be understood to be the resistance 
of the algorithm to piracy by cryptanalysis. 

The frequency of renewal of the keys directly influ- 
ences the amount of data encrypted with the same key 
45 made available to a pirate so as to cryptanalyse the al- 
gorithm. Since limiting this amount increases the resist- 
ance of the algorithm to attacks, frequent renewals of 
the key K increase the soundness of the encryption/de- 
cryption algorithm of the devices 9 and 10. 

50 

on the other hand, it makes it possible to avoid re- 
playing previously selected programmes. 

Thus, if an ill-intentioned user or a pirate records 
55 the information output by the device 10, and therefore 
records, at the instant t, the selected programme in a 
form encrypted with a key denoted K,, he will not be able 
to use the said programme subsequently since the de- 
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cryption key at the instant t+At, denoted K i+M , will be 
different from the encryption key K t . 

Figure 4 represents the schematic of a security el- 
ement/decoder assembly according to a third embodi- 
ment of the invention. 

In addition to the elements described in Figure 2, 
Figure 4 includes, in respect of the decoder, a random 
number generator 11 and an encryption device 14 and, 
in respect of the security element, a decryption device 
15. 

The generator 11 generates a random number AL 
which is used directly as decryption key K by the device 
9. Moreover, the random number AL is transmitted to 
the device 14 which encrypts it and transmits it to the 
device 15 of the security element. The encryption per- 
formed by the device 14 is performed under the action 
of a key K2. On the security element side, the encrypted 
random number E(AL) is decrypted by the device 15 un- 
der the action of a key K2 and the result AL is transmitted 
to the device 10 so that it serves as encryption key K. 

According to another embodiment of the invention, 
a public key algorithm can be used for the devices 14 
and 15. In this case, the encryption key is different from 
the decryption key and, in a preferred manner, the secret 
key is used for decryption in the device 15 whilst the 
public key is used for encryption in the device 14. 

Advantageously, the devices 14 and 15, whether 
they use a symmetric algorithm or a public key algo- 
rithm, prevent any pirate from discovering the encryp- 
tion/decryption key K merely by knowing E(AL). 

According to the particular embodiments of the in- 
vention which were mentioned earlier: 

the random number AL can be generated once per 
session or indeed several, times during the same 
session; 

the encryption/decryption key K2 used by the de- 
vices 1 4 and 1 5 can be made specific to the security 
element/decoder pair, thus exhibiting the above- 
mentioned advantages. 

In the context of the invention, for all the embodi- 
ments described in Figures 2, 3 and 4, the choice of the 
encryption/decryption algorithm of the devices 9 and 10 
results from a compromise between the desired level of 
protection of the programmes and the complexity of the 
algorithm implemented in the decoder and in the secu- 
rity element. 

Thus, a symmetric algorithm which is simple to im- 
plement via a dedicated circuit is preferred. Such an ar- 
rangement makes it possible, advantageously, to re- 
duce the cost of implementation and to ensure high en- 
cryption/decryption rates, for example of the order of 
about ten Megabits per second. Renewal of the encryp- 
tion keys then advantageously allows the use of a sim- 
ple algorithm while decreasing the risks of piracy by 
cryptanalysis. 

Furthermore the systematic decryption performed 



by the device 9 of the decoder exhibits a particular ben- 
efit, viz. that the user can display, via the decoder, only 
the programmes originating from the security element. 
This implies, for example, that unenciphered pirate pro- 

5 grammes may not be played on the decoder alone. 

In the case in which the keys K1, K2 are specific to 
each security element/decoder pair, the abovemen- 
tioned property of systematic decryption has an addi- 
tional advantage, viz. of preventing any pirate from sup- 

10 plying the same programme to decoders which are dif- 
ferent from the decoder which he has pirated. 

Moreover, for all the embodiments of the invention 
described in Figures 2, 3 and 4, the implementation con- 
sisting in integrating the devices 8 and 9 into the same 

15 electronic circuit will be preferred. This is so as to pre- 
clude the contents of the selected programme from ap- 
pearing unenciphered between the two devices. 



20 Claims 

1 . Process making it possible to transfer from a secu- 
rity element (1) to a decoder (6) a stream of data 
arising from a descrambler (3) contained in the se- 

25 curity element (1 ), the said stream of data repre- 
senting at least one programme selected by a con- 
ditional-access system user, characterized in that it 
comprises a first step making it possible to encrypt 
in the security element (1 ) the data arising from the 

30 descrambler (3) under the action of a first key (K) 
and a second step making it possible to decrypt in 
the decoder (6) the encrypted information item aris- 
ing from the first step, under the action of a second 
key (K). 

35 

2. Process according to Claim 1 , characterized in that 
the first step comprises a step making it possible to 
generate random words (AL) in the decoder and a 
step making it possible to encrypt the random words 

40 generated (AL) under the action of a third key (K1 ) 
in such a way as to generate the first key and in that 
the second step comprises a step making it possible 
to encrypt the random words (AL) in such a way as 
to generate the second key (K). 

45 

3. Process according to Claim 1 , characterized in that 
the first step comprises a step making it possible to 
generate at least one random word (AL) in such a 
way that this random word constitutes the first key 

50 (K) during the whole of the descrambler (3) de- 
scrambling session and in that the second step 
comprises a step of encryption of the random word 
(AL) under the action of a fourth key (K2) in such a 
way as to make up an information item made up of 

55 an encrypted random word (E(AL)), and a step con- 
sisting of the decrypting of the encrypted random 
word (E(AL)) in such a way that the decrypted ran- 
dom word constitutes the second key (K). 
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4. Process according to Claim 1 , characterized in that 
the first key (K) is stored permanently in the user- 
card (1 ) and in that the second key (K) is stored per- 
manently in the decoder (6). 

5. Security element (1) containing a descrambler (3) 
making it possible to descramble the data which it 
receives under the action of control words (CWj), the 
said data representing at least one programme se- 
lected by a conditional-access system user, char- 
acterized in that it comprises a device (10) for en- 
crypting the descrambled information item arising 
from the descrambler (3) under the action of a first 
encryption key (K). 

6. Security element (1 ) according to Claim 5, charac- 
terized in that it comprises a device for generating 
encryption keys (13) making it possible to generate 
the first key (K) under the action of a random word 
(AL). 

7. Security element (1 ) according to Claim 5, charac- 
terized in that it comprises a decryption device (1 5) 
making it possible to generate, under the action of 
a decryption key (K2), the first key (K). 



12. Assembly made up of a security element (1) and of 
a decoder (6) associated with this security element, 
characterized in that the security element is a secu- 
rity element (1 ) according to Claim 7 and in that the 

s decoder (6) is a decoder according to Claim 10. 

13. Assembly according to Claim 11 or 12, character- 
ized in that the first key and the second key are keys 
specific to the said assembly. 

10 



15 



20 
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8. Decoder (6) making it possible to decode data aris- 
ing from a security element (1), the said data rep- 
resenting at least one programme selected by a 
conditional-access system user, characterized in 30 
that it comprises a decryption device (9) making it 
possible to decrypt, under the action of a second 
key (K), the data arising from the security element 
(I), the said data being data which are descrambled 
and encrypted under the action of a first key (K). 35 



9. Decoder (6) according to Claim 8, characterized in 
that it comprises a generator (11) of random words 
generating at least one random word (AL) and a de- 
vice for generating decryption keys (12) from the 40 
random word thus generated, in such a way that the 
decryption key arising from the said generating de- 
vice (12) is the second key (K). 



10. Decoder (6) according to Claim 8, characterized in 45 
that it comprises a generator (11) of random words 
making it possible to generate at least one random 
word making up the second key (K) and an encryp- 
tion device (14) making it possible to encrypt the 
random word making up the second key under the $o 
action of an encryption key (K2). 



1 1 . Assembly made up of a security element (1 ) and of 
a decoder (6) associated with this security element, 
characterized in that the security element is a secu- 55 
rity element (1 ) according to Claim 6 and in that the 
decoder (6) is a decoder according to Claim 9. 
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